Configuring Subauthentication on a New Installation of IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

By default, after installing Windows Server 2003 and IIS 6.0, IIS runs in worker process isolation mode and subauthentication is disabled. Subauthentication is disabled when the AnonymousPasswordSync Metabase Property is set to false.

To enable anonymous password synchronization, ensure that your system meets the following requirements:

  • The subauthentication component, Iissuba.dll, must be registered.

  • The application pool of the Web site runs as the LocalSystem user account. However, running as the LocalSystem user account might be a security risk because it allows the worker process full access to the entire system.

  • The AnonymousPasswordSync metabase property must be enabled (set to true).

Procedures

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any known parameters).

To configure subauthentication and enable anonymous password synchronization

  1. From the Start menu, click Run.

  2. In the Open box, type cmd, and click OK.

  3. At the command prompt, type the following and then press ENTER:

    rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA

  4. Set the identity of the application pool to the LocalSystem user account. For step-by-step information about setting the application pool identity, see Configuring Application Pool Identity in IIS 6.0.

    Important

    Running as the LocalSystem user account might pose a security risk because it allows the worker process full access to the entire system.

  5. At the IisWebService node, set the AnonymousPasswordSync metabase property to true.

When you no longer want to use subauthentication, revoke the subauthentication components registration.

To revoke the subauthentication components registration

  1. From the Start menu, click Run.

  2. In the Open box, type cmd, and click OK.

  3. At the command prompt, type the following and then press ENTER:

    rundll32 %systemroot%\system32\iissuba.dll,UnregisterIISSUBA